diff options
Diffstat (limited to 'php-bug67410.patch')
-rw-r--r-- | php-bug67410.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/php-bug67410.patch b/php-bug67410.patch new file mode 100644 index 0000000..9e09d3a --- /dev/null +++ b/php-bug67410.patch @@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + return 1; + } + case FILE_PSTRING: { +- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ */ ++ len = sizeof(p->s) - sz; ++ } + while (len--) + *ptr1++ = *ptr2++; + *ptr1 = '\0'; +-- +1.9.2 + |